Search papers, labs, and topics across Lattice.
This paper introduces AcMAS, an activation-based framework designed to detect malicious behaviors in multi-agent systems (MAS) by analyzing the internal reasoning states of local agents. Unlike traditional methods that rely on explicit interaction graphs and assume synchronous execution, AcMAS effectively identifies stealthy attacks in both synchronous and asynchronous environments. The framework not only enhances detection accuracy鈥攁chieving a +0.22 F1 improvement in synchronous and +0.55 F1 in asynchronous settings over graph-based baselines鈥攂ut also facilitates the restoration of compromised agents, moving away from disruptive isolation strategies.
Stealthy attacks in multi-agent systems can be detected more effectively without relying on explicit interaction graphs, leading to a significant boost in detection accuracy.
While enabling effective collaboration on complex tasks, LLM-based Multi-Agent Systems (MAS) face critical security challenges due to vulnerabilities at the agent and interaction levels. Most existing MAS security defenses are built upon two core assumptions: semantically-explicit malicious attacks and explicit graph-based modeling of the MAS topology and agent-level interactions. In practice, real-world attacks are becoming more semantically stealthy, while MAS execution is typically asynchronous without the temporal alignment assumed by graph-based propagation models. To address these limitations, we propose AcMAS, an activation-based framework for malicious-behavior detection in MAS. By analyzing internal reasoning states in the activation space of local agents, AcMAS detects even stealthy attacks in a synchronization-robust fashion, without relying on explicit interaction graphs. Moreover, our activation analysis provides critical signals to guide AcMAS in restoring the functionality of compromised agents, rather than the disruptive agent isolation commonly used by the state-of-the-art methods. Comprehensive evaluation demonstrates that AcMAS significantly outperforms graph-based baselines against stealthy attacks, by +0.22 F1 in synchronous settings (0.94 vs. 0.72) and by +0.55 F1 in asynchronous settings (0.93 vs. 0.38), with generalization across diverse open-source LLM backbones, attack intensity, and MAS scale.